Field of the Invention
The present invention relates to systems and methods of maintaining security among workloads in a multi-tenant cloud environment.
Background of the Related Art
In a hosted workload environment, where multiple workloads may share the same processor simultaneously, all workloads have to grant trust to the host. This is due to the fact that the operating system and other similar software (such as debuggers and other hardware analysis tools) can inspect all detailed processor state data. However, in a multi-tenant environment, there is a potential lack of security or trust problem in that a workload run by one tenant may be able to read data belonging to another workload run by another tenant. There are no known solutions to solving the trust problem at the processor level.
Existing technology encrypts data that is stored in off-chip storage in order to prevent unauthorized access by processes or tools that have access to that off-chip storage. However, data within the CPU chip package is currently only protected by isolating one workload from another. Typically, one workload is isolated from another workload by granting sole ownership of the CPU or entire server to one specific workload at a time. This isolation is inefficient for cloud or virtualized environments where multiple workloads share the same hardware to achieve better utilization and economies of scale.